09-21-2008 08:51 PM - edited 03-11-2019 06:47 AM
A client has an existing router to which I need to add ZBF. The design guide below talks about the overall configuration of ZBF. But because this router is so actively used - I can't rough it in. Need to get the downtime down to about a minute.
So - to minimize outage would the order be:
1) Add classmaps,
2) Add policy maps
3) Add zones.
4) Add zone-pairs.
5) Assign interfaces to zones. ??
To "deactivate ZBF" if it doesn't go well...is the fastest way to remove all interfaces from zone membership?
Thanks.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
Solved! Go to Solution.
09-25-2008 08:46 AM
Hi Michael,
Your plan looks good to me. If possible, I would recommend both writing and testing the configuration on a non-production router first. This way, you can work out any quirks in your config and make sure everything works as expected. Once this is done, you can copy the configuration into a text editor and simply paste it into the production router during a brief maintenance window.
Also, you are correct in that the fastest way to "deactivate" ZBFW is to simply remove the interfaces' zone membership.
Hope that helps.
-Mike
09-25-2008 08:46 AM
Hi Michael,
Your plan looks good to me. If possible, I would recommend both writing and testing the configuration on a non-production router first. This way, you can work out any quirks in your config and make sure everything works as expected. Once this is done, you can copy the configuration into a text editor and simply paste it into the production router during a brief maintenance window.
Also, you are correct in that the fastest way to "deactivate" ZBFW is to simply remove the interfaces' zone membership.
Hope that helps.
-Mike
01-27-2009 03:16 PM
Mike,
If you remove the interfaces' zone membership, doesn't IOS firewall default to not passing any traffic?
01-28-2009 01:59 AM
no it doesn't..when you remove zonemembership from interfaces then ZBF is no longer effective for those interfaces, which means any policies applied to ZBF also becomes void for that interface
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: